Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 202762 - app-antivirus/clamav < 0.91.2-r1 Multiple vulnerabilities (CVE-2007-{6335,6336,6337})
Summary: app-antivirus/clamav < 0.91.2-r1 Multiple vulnerabilities (CVE-2007-{6335,633...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://labs.idefense.com/intelligence...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-19 10:20 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-06 10:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
clamav-0.91.2-CVE-2007-5759.patch (clamav-0.91.2-CVE-2007-5759.patch,1.81 KB, patch)
2007-12-19 23:18 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
clamav-0.91.2-CVE-2007-6336.patch (clamav-0.91.2-CVE-2007-6336.patch,1002 bytes, patch)
2007-12-19 23:18 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
clamav-0.91.2-CVE-2007-6337.patch (clamav-0.91.2-CVE-2007-6337.patch,891 bytes, patch)
2007-12-19 23:18 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 10:20:33 UTC
iDefense:

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.

The vulnerability exists within the code responsible for parsing PE files packed with the MEW packer. During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 10:23:38 UTC
Andrej, is 0.92 ready for stabling?
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2007-12-19 19:48:29 UTC
Portage 2.1.3.19 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r1 i686)
=================================================================
System uname: 2.6.23-gentoo-r1 i686 AMD Athlon(tm) XP 2400+
Timestamp of tree: Wed, 19 Dec 2007 18:30:01 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.3.5-r3, 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/X11/xkb /usr/share/config /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-Os -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://192.168.0.2:66/ http://gentoo.intergenia.de/ ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi aiglx alsa amr apache2 arts asf berkdb bitmap-fonts bzip2 bzlib cairo cdb cdparanoia cdr cli cracklib crypt css cups curl dbus dga directfb divx4linux dri dts dv dvd dvdr dvdread eds emboss encode ethereal evo extrafilters fbcon ffmpeg firefox flac fortran ftp gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv icq imagemagick isdnlog java jikes jpeg kerberos lame lzo mad midi mikmod mime mjpeg mmx mmxext motif mp3 mpeg mtrr mudflap musepack ncurses network nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openmp oss pam pcre pdf perl png pppd print python qt3 qt3support qt4 quicktime readline real reflection samba sdl session snmp sockets spell spl sse ssl svg svga tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb userlocales vcd vorbis win32codecs x264 x86 xine xinerama xml xorg xprint xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="nv nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

0.92 works fine here.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 23:18:18 UTC
Created attachment 138927 [details, diff]
clamav-0.91.2-CVE-2007-5759.patch
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 23:18:33 UTC
Created attachment 138929 [details, diff]
clamav-0.91.2-CVE-2007-6336.patch
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 23:18:47 UTC
Created attachment 138930 [details, diff]
clamav-0.91.2-CVE-2007-6337.patch
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-19 23:29:41 UTC
There were further vulnerabilities fixed in this release:

CVE-2007-6336:
    It was discovered that on off-by-one in the MS-ZIP decompression
    code may lead to the execution of arbitrary code.

CVE-2007-6337:
    fix bzlib bug (aCaB)   ???
    I am not sure about the contents of this yet.

<Ticho> well, both klamav and Mail::ClamAV use some clamav internal functions which shouldn't really be used outside of clamav, and those changed in this release

Ticho, can you please bump 0.91.2 with the attached patches? Thanks.
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2007-12-20 00:31:18 UTC
0.91.2-r1 committed, with these patches applied. Thanks!
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-20 00:33:48 UTC
Arches, please test and mark stable app-antivirus/clamav-0.91.2-r1.
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 9 Brent Baude (RETIRED) gentoo-dev 2007-12-20 01:36:23 UTC
ppc and ppc64 stable
Comment 10 Markus Meier gentoo-dev 2007-12-20 13:20:43 UTC
x86 stable
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2007-12-20 13:49:32 UTC
Stable for sparc.
Comment 12 Jeroen Roovers gentoo-dev 2007-12-20 14:52:23 UTC
Stable for HPPA.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-12-20 16:00:52 UTC
alpha/ia64 stable
Comment 14 Peter Weller (RETIRED) gentoo-dev 2007-12-26 15:52:20 UTC
amd64 stable
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2007-12-26 16:19:25 UTC
All arches done, GLSA request filed.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-12-29 16:07:07 UTC
GLSA 200712-20, thanks everyone.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 10:00:28 UTC
Does not affect current (2008.0) release. Removing release.